Skip to main content

Policy as Code

Security policies and compliance frameworks typically are documents. Text in these documents describes each guideline and its rationale, and sometimes the consequences of not complying.

But documents don't evaluate your environments. The work to verify that your infrastructure follows security standards is often manual, time intensive, and error prone. For example, if you need to manually demonstrate compliance for an audit, it can take weeks just to provide a snapshot of a single moment in time.

Policy as code lets you automate compliance using security benchmarks and best practices. The code serves two purposes: It documents the security guidelines and it tests your systems to ensure they follow those guidelines.

Each Mondoo policy is a codified collection of checks, assertions that test for certain configurations. Each check can be true or false, and has an impact score that determines its importance within the policy. For example, the Linux Security policy might include checks that ensure the asset:

  • Doesn't accept ICMP redirects

  • Has prelink disabled

  • Has reverse path filtering enabled

... and dozens more.

To learn more about policy as code, read About Policies. To learn more about checks, read Checks.

You choose whether to enable the Linux Security policy. If it's enabled, then when Mondoo scans Linux-based assets, it evaluates them based on the checks defined in that policy (as well as any other applicable policies you enable).

Mondoo has hundreds of policies for dozens of different types of platforms. You choose which policies you want to use as a basis to assess the security of your infrastructure. To learn how, read Manage Policies.